[plug] Software Maturity and Security (was This Mailing List)

Christian christian at global.net.au
Mon Jan 31 09:27:59 WST 2000


Since this is on a different subject, it's probably safe to reply...

John Summerfield wrote:
> I also recommend against recompiling software just to optimise it for your
> CPU, upgrading to new releases of software just because they're there.
> Should anyone ask, I'd tell them not to bother with the new BIND that C
> mentioned; it's sure to be full of new bugs for quite a while - that's the
> nature of new software. Better to bolt the old one down in a cage for the
> short term, & updating to the latest and greatest new computer if your
> ancient 486 is doing the job well enough.

[Ignoring apparently irrelevant comment about recompiling software.]  I
don't know if you're referring to BIND 9 or dnscache as the piece of
software to ignore for a while and I also can't tell if you're referring
to security bugs specifically or just bugs in general, but, at least for
the former, you're certainly wrong.  It is true that new software is
often released and experiences a large number of security problems which
usually tend to gradually decrease as the software matures.  However, if
a piece of software is developed specifically with security in mind then
it will experience very few security problems AND these will also tend
to decrease until they reach what is probably the minimum possible.  It
will also mature in this way in *much* less time than that required by
software developed using an ad-hoc approach to security.  There are
three prime examples of this that I can think of off the top of my head:
OpenBSD, Postfix and qmail.  sendmail, BIND and Linux largely represent
excellent examples of the alternative (although there are sadly many,
many more): minimal attention paid to security during development with
it being added in a retrospective and ad-hoc manner.  I base this on my
own research (hopefully soon to be published).

BTW, SecurityFocus is an excellent site but I agree with you that the
packaging is really irritating.  Tricks such as opening up the frame you
want in a separate window and adding ACLs to deny access to the
ad-servers make it much more bearable. :-)  It's particularly ironic
that you need JavaScript switched on in order to use the site given that
the published workaround for virtually every browser flaw tends to be
"Disable JavaScript". :-)

Regards,

Christian.



More information about the plug mailing list